This bug is triggered when the browser handles a JavaScript ‘onLoad’ handler in conjunction with an improperly initialized ‘window ()’ JavaScript function. This exploit results in a call to an address lower than the heap. The JavaScript prompt () places our shellcode near where the call operand points to. We call prompt () multiple times in separate iframes to place our return address. We hide the prompts in a popup window behind the main window. We spray the heap a second time with our shellcode and point the return address to the heap. I use a fairly high address to make this exploit more reliable. IE will crash when the exploit completes. Also, please note that Internet Explorer must allow popups in order to continue exploitation.

Share this:

Like this:

LikeLoading...

ABOUT THE AUTHOR

Raj Chandel

Raj Chandel is a Skilled and Passionate IT Professional especially in IT-Hacking Industry. At present other than his name he can also be called as An Ethical Hacker, A Cyber Security Expert, A Penetration Tester. With years of quality Experience in IT and software industry